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... But creates new Challenges for Security 


Dont know how many assets you have 
Don't know when those assets are running 
Credential issues / Authentication failures 

Monthly / weekly scanning too slow [WannaCry] 
Can't scan remote users 


@ Qualys. 


Qualys Sensors 
Scalable, self-updating & centrally managed 


IONS 
Physical 


Legacy data 
centers 


Corporate 
infrastructure 


Continuous 
security and 
compliance 
scanning 


$ 


Virtual 


Private cloud 
infrastructure 


Virtualized 
Infrastructure 


Continuous 
security and 
compliance 
scanning 


Cloud/Container 


Commercial laaS & 
PaaS clouds 


Pre-certified in 
market place 


Fully automated with 
АР! orchestration 


Continuous security 
and compliance 
scanning 


Cloud Agents 


Light weight, multi- 
platform 


On premise, elastic 
cloud & endpoints 


Real-time data 
collection 


Continuous 
evaluation on 
platform for security 
and compliance 


Passive 


Passively sniff on 
network 


Real-time device 
discovery & 
identification 


dentification of APT 
network traffic 


Extract malware files 
from network for 
analysis 


API 
Integration with 


Threat Intel feeds 


CMDB 
Integration 


Log connectors 


Qualys Cloud Agent Platform 
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Software 
Agent 
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Windows 
Linux 
Mac 
AIX 
Cloud Native 


Delivers 
Multiple 
Security 
Functions in 
one Agent 
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Central Management / API it 


Qualys Suite of 
Applications (rw) 


Efficient Network Usage 50 - 350 KB / day 


(Delta Processing average) 


Lightweight Metadata „1-29 p 
Collection (tunable) 70 CPU 


Windows, Linux, Mac, AIX 3 MB application 
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IT, Security, Compliance Apps 


0 Asset Inventory m 
Vulnerability Management 

Policy Compliance 

Indication of Compromise Detection 


@ File Integrity Monitoring 


Upcoming IT App “Beta November 2018) 


0 Patch Management 


Meros 


f Wind 
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Version StatusiLast Checkedin = 


Agent Modules 
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Try and Manage 
Apps on One 
Cloud Agent 


End the fight with IT to deploy 
security agents! 


Remove point-solution agents 
from your endpoints 


Consolidate security tools 


Activation Key 


Edit the activation key 


Turn help tips: On | Off x 


An activation key is used to install agents. This provides a way to group agents and better manage your account. By 
default this key is unlimited - it allows you to add any number of agents at any time 


Title 


Global_user_endpoints 


{ global user endpo. 


Provision Key for these applications 


Set limits 


Vulnerability Management 
98919 Licenses Remaining 


File Integrity Monitoring 
998 Licenses Remaining 


Select | Create 


Policy Compliance 
99134 Licenses Remaining 


Indication of Compromise 
96 Licenses Remaining 


Unlimited Key 
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Cloud Agent 


Extends hs scan needed - always collecting 
Find vulnerabilities faster 


Network Scanning Detect a fixed vulnerability faster 


Many new Apps only available on Agent 


© Best for assets that can’t be scanned 


Unable to get credentials / authentication 


Ih failures 


Remote systems in branch offices / NAT 
Roaming user endpoints 


Cloud / Elastic deployments 
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Cloud Agent Adoption 


(Units in millions) 


Number of Cloud Agents Sold 


LTM LTM LTM LTM 
Q4 2017 Q1 2018 Q2 2018 Q3 2018 
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Cloud Agent VM Usage апа 
Growth Drivers 10,000,0005 = 


- Visibility + Lightweight 
agent increases 
adoption 


1,000,000 


- Increase endpoints 
s 


ИШ ТИЕ - Increase in public cloud 
- Capture migration from 
- Growth in endpoint on-premise servers to 
deployments public cloud 
2017 (50-300K) 
for Servers (AWS primarily) 


100,000s 


Deploy on servers to - Initial adoption for - Initial work to build 
overcome customer end-users CA into Cl/CD/ 
limitations with their network (WannaCry) DevOps pipelines 
scanning 
- Auth issues - Early CA deployments 

in AWS and Azure 


- Scan windows 
- More frequent VM 
assessments (9) Qualys. 


Cloud Agent CPU Tuning - Linux 


VM: < 1.2% CPU peak usage for less than 15 
Ins 


їїс: | Average + | Time Range: 


t 12 Hours v | Period: e 


CPU Utilization ( Percent ) 


AWS EC2 


not allowed to 
scan nano, 


micro, or small 
instances 0.801 

using network 
scanning 


AWS t2.micro instance running Cloud Agent 


2 © Qualys. 


TS p Us ce 


File Help 


Cloud Agent CPU Tuning - Windows 
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Cloud Native - Collect Provider 


| . Google Compute 
M eta AWS EC2 Microsoft Azure Platform 


accountld dnsservers hostname 

amild ipv6 instanceld 
availabilityZone location macAddress 
hostname macAddress machineType 
hostnamePublic name network 
instanceld offer privatelpAddress 
instanceType osType projectld 
kernelld privatelpAddress projectldNo 
macAddress publiclpAddress publiclpAddress 
privatelpAddress publisher zone 
publiclpAddress resourceGroupName 

region tags 

reservationld subnet 

securityGrouplds subscriptionld 

securityGroups version 

subnetld vmld 

VPCld vmSize 


Agent collects metadata locally © 
Qualys. 


accountld 

ami-id 
ami-launch-index 
availabilityZone 
hostname 
imageld 


с> instance-id 


instanceType 
local-hostname 
local-ipv4 

mac 

privatelp 

profile 
public-hostname 
public-ipv4 
region 
reservation-id 
security-groups 


Cloud Provider Metadata aws сс example) 


383031258652 

ami-d874e0a0 

2 

us-west-2a 
ip-172-31-36-214.us-west-2.compute.internal 
ami-d874e0a0 

i-03e86d77745bb2bba 

t2.micro 
ip-172-31-36-214.us-west-2.compute.internal 
172.31.36.214 

06:26:0c:74:c5:9a 

172.31.36.214 

default-hvm 
ec2-18-236-81-63.us-west-2.compute.amazonaws.com 
18.236.81.63 

us-west-2 

r-06e65580c2918a00ba 

launch-wizard-2 
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Cloud Instance Metadata Merge 
and Agent Dynamic License Management 


EC2 Connector — Available now 


aws.ec2.accountld 
aws.ec2.availabilityZone 
aws.ec2.hostname 
aws.ec2.hostnamePublic 
aws.ec2.imageld 


@|ws.ec2.instanceState 


aws.ec2.instance Туре 
aws.ec2.kernelld 
aws.ec2.privateDNS 
aws.ec2.privatelPAddress 
aws.ec2.publicDNS 
aws.ec2.publiclPAddress 
aws.ec2.region.code 
aws.ec2.region.name 
aws.ec2.spotlnstance 
aws.ec2.subnetld 
aws.ec2.VPCld 


Automatically merge 
on Instance ID (Nov 


™ Automated Rules (Dec 
2018) 
“When instanceState = 
TERMINATED, then remove Cloud 
Agent license” 


Cloud Agent — Available now 
aws.ec2.accountld 

aws.ec2.availabilityZone 

aws.ec2.hostname 

aws.ec2.imageld 
aws.ec2.instance Type 
aws.ec2.kernelld 
aws.ec2.privateDNS 
aws.ec2.privatelPAddress 
aws.ec2.publicDNS 
aws.ec2.publiclPAddress 
aws.ec2.region.code 
aws.ec2.region.name 
aws.ec2.subnetld 
aws.ec2.VPCld 


@ Qualys. 


Integrate Cloud Agent Into DevOps 


O 0 
[PN «й 
Use Cases for DevOps Use Cases for Security 
Build Cloud Agent into gold image or End-to-end lifecycle tracking - 
auto-deploy with CI/CD - self-service development, deployment, production, 
results from Qualys API/UI & integrations decommission 
Get vulnerability and configuration Same Cloud Agent across cloud, on- 
posture of OS and application along the premise, endpoint, hybrid 


DevOps pipeline 

Single platform as DevOps tools evolve 
Fix/verify security issues before going - Qualys Container Security, Jenkins 
into production integration, API automation, more 
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Cloud Agent - Microsoft Azure Integration 


Security Center - Overview > Recommendations 
Recommendations 


Y aw 


MONITORING RECOMMENDATIONS TOTAL 
pp Data collection installation status 31 of 56 VMs === 
Virtual machines (classic) 
Virtual machines 
SA databases VIRTUAL MACHINES RECOMMENDATIONS TOTAL 
Карел meal Endpoint Protection not installed 4 of 56 VMs иш 
Security Center 
Missing scan data 11 of 56 VMs Ea 
Remediate OS vulnerabilities (by Microsoft) 5 of 56 VMs Ea 
Missing system updates 1 of 56 VMs [| 
Endpoint Protection health failures 1 of 56 VMs 1 
Missing disk encryption 5 of 56 VMs E= 
OS version not updated 2 of 4 Roles ELI 
Vulnerabilities found 2 of 56 VMs = 
Healthy 6 of 60 VMs & Roles r 
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Add a vulnerability assessment solution 


Y Filter И Install on 2 VMs quum 


VIRTUAL MACHINE > — SUBSCRIPTION NAME > STATE 


vm3 ASC D| 


vm4 ASC D 


Resol 


Add a Vulnerability Assessment 


Create New 


Use existing solution 


@, Qualys, Inc. 
== Quays-VA 


^ 


SEVERITY 


^ 


A Medium 
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RESOURCE GROUP 
SUBSCRIPTION 
VIRTUAL IP 
OPERATING SYSTEM 
VERSION 

STATUS 
MONITORING STATE 


PREVENTION STATUS 


Security Solutions 
SYSTEM UPDATES 


OS VULNERABILITIES 


VULNERABILITY SCANNER - 


PREVIEW 


Recommendations 


HS_RESOURCEGROUP 


Visual Studio Premium with MSDN 


Windows 

Compute 

Deallocated 

Monitored by Azure Security Center 


High severity 


Microsoft (Last scan time - 10/3/2016 1:22 PM) 


Microsoft (Last scan time - 10/3/2016 1:22 PM) 


Qualys (Last scan time - 10/3/2016 11:56 PM) 


20 


VULNERABILITY NAME A^ 


Enabled DCOM 

Allowed Null Session 
Enabled Cached Logon Cre... 
Machine Information Discl... 
Microsoft Windows Explore... 
Windows Explorer Autopla... 
Access to File Share is Enab... 
ActiveX Controls Enumerated 
Antivirus Product Not Dete... 
Disabled Clear Page File 
Enabled Caching of Dial-up... 
Enabled Display Last Usern... 
File Access Permissions for... 
Host Scan Time 

Hyper-V Host Information... 
Installed Applications Enu... 
Internet Protocol version 6 ... 
IPSEC Policy Agent Service ... 
Message For Users Attempt.. 


РЕЕРРЕРРРЕЕРРЕЕЕРЕЕЕЕ Т 


> 


^ 


PPPPP PPP PPP PPP PPP Pe Е 


@ High 
A Medium 
A Medium 
А. Medium 
A Medium 
А. Medium 
Ө tow 
Ө Low 
Ө Low 
@ Low 
Ө tow 
@ Low 
Ө tow 
Ө tow 
@ Low 
Ө Low 
@ Low 
@ Low 
Ө tow 
© Low 


@ Qualys. 


LANK KAKAK; 
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PPPPP PP EF 


VULNERABILITY NAME 


SEVERITY 


DESCRIPTION 


SOLUTION 


Enabled DCOM 
@ High 


The Distributed Component Object Model (DCOM) is a 
protocol that enables software components to 
communicate directly over a network. The Distributed 
Component Object Model (DCOM) is enabled on this 
system. 


Refer to Microsoft article Best Practices for Mitigating 
RPC and DCOM Vulnerabilities to obtain information 
on vulnerabilities in DCOM and ways to mitigate those 
vulnerabilities. Information on disabling DCOM can be 
found at the Microsoft Technet article called How to 
Disable DCOM Support in Windows. For disabling 
DCOM on Windows 7, Windows 8, Windows Server 
2008, Windows Server 2008 R2, and Windows Server 
2012 refer to Microsoft's article Enable or Disable 
DCOM. 
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Vulnerability Spread at Speed of DevOps 


O Search rces, services, and 


Create a resource Virtual machines Compute 


Default Directory 


All services + Add Edit columns +++ More Y Filter 


О | 
- Recommended Red Hat 7.4 
[S] RHEL74-CC1-Azure Marketplace 


resource groups 


App Services 


Function Apps EJ nutuz5-cc2-Azure 


Image 


SQL databases ra RHEL75-CC3-USEast2-Azure 


© redhat 


Red Hat 


Azure Cosmos DB 


Windows Server Ubuntu Server SQL Server 2017 


Virtual machines 


Enterprise Linux Enterprise 
Microsoft RedHat Canonical Microsoft 
Load balancers 
Storage accounts Virtual Machine Images 


Virtual networks 


Azure Active Directory Quest Quest 


Monitor 


Unified RemoteScan Pivotal Cloud Aqua Container 
Communications Enterprise Foundry on Security Platform 


Quest Software ñ Quest Software A Pivotal Software. Q Aqua Security Q 


Advisor 


Security Center 


© Qualys. 


Auto-Deploy Qualys Cloud Agen 


Create a resource 


All services 


Function Apps 


SQL databases 


Azure Cosmos DB 


Virtual machines 


Load balancers 


Storage accounts 


Virtual networks 


Azure Active Directory 


Monitor 


Advisor 


Security Center 


Cost Management + В. 


Help + support 


Security Center 


Bb Security s 


THREAT PROTECTION 


ADVANCED CLOUD DEFENSE 


v Connected solutions (1) 


all security solutions currently connected to 


© Healthy 


VIEW 


v Add data sources (5) 


Non-Azure computers 


Common Event Format 


UBLISHER 
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Vulnerability Results 


RHEL74-CC1-Azure 


View Mode Vulnerabilities 


Asset Summary Select the severity you would like to view by 


хаети see se2 


Agent Summary Confirmed Vulnerabilities Potential Vulnerabilities 


B sev5 1 B sev5 0 
ы 24 View 3 View 
Network Informati @ sev4 16 B sev4 0 


B sev3 7 Ш sev3 3 
Open Ports 
Installed Software 


Vulnerabilities 


Vulnerability Detection by Status In the last 7 Days 
Threat Protection RTIs 


File Integrity Monitoring Active Reopened Fixed 


Indication of Compromise 2 7 


Alert Notifications - x Co ( 
Potentia ^otent Potentia 
Azure VM Information 
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Threat Protection Exploitability © 


View Mode 
Asset Summary 
System Informatio! 
Agent Summary 
Network Information 
Open Ports 
Installed Software 
Vulnerabilities 
File Integrity Monitoring 
Indication of Compromise 
Alert Notifications 


Azure VM Information 


Threat Protection Summary 


Total Vulnerabilities by RTis 
® Zero Day 


72 ФЭ, s. 
Y 


Unpatchable 
® Active Attacks 


LATEST THREATS FROM LIVE FEED 


Title 

OpenSSH User name Enumeration Vulnerability : CVE-2018-15473 
L1 Terminal Fault /Foreshadow Attack aka L1TF Attack 

PoC Exploit available for CVE-2018-15473 

PoC Exploit available for CVE-2018-15473 

PoC Exploit available for CVE-2018-15473 

PoC Exploit available for CVE-2018-15473 

PoC Exploit available for CVE-2018-15473 

PoC Exploit available for CVE-2018-15473 

SegmentSmack: CVE-2018-5390 


E High Lateral Movement 
@ High Data Loss 
8 Vulnerable to DOS 


8 Public Exploit 


Published 


8/29/2018 
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Cloud Agent Roadmap 


Agent Releases 

° Mac 1.7.2 - released Aug 29 

° Linux 2.1 upgrade from 2.0 (FIM) - released Aug 29 

• Linux 22 - Dec rollout for Policy Compliance UDCs 

e Windows 2.1.1 rollout - started Oct 17 / complete Oct 22 
° https//www.qualvscom/documentation/release-notes 


Features 
* Cloud Provider Metadata (AWS, Azure, GCP) - available 
e EC2 Connector / Cloud Agent merge - available 
* Nov - Windows agent to support Patch Management Beta 
• Dec - Policy Compliance UDCs (Windows / Linux / AIX ) 
• Dec - Agent Lifecycle Management 
(Public cloud State-based w/ Connector / Any asset using Time-based) 
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Qualys Indication of Compromis: 


Bringing IOC to the Next Level 


Giorgio Gheri 
Security Solutions Architect, Qualys, Inc. 


Adversary TTPs are Changing 


Early 2010s 
Zero-day Vulnerabilities 
(Nation State, Industrial Еѕргопаде, Black Market) 


Today 
Rapidly weaponizing newly-disclosed vulnerabilities 
(Good, Fast, Cheap - Pick 3) 
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Known Critical Vulnerabilities 
are Increasing 
6-7K vulnerabilities are Reported Vulnerabilities 
disclosed each year* 


30-40% are ranked as 
“High” or “Critical” severity 


“Mean Time to 
Weaponize” (MTTW) is 
rapidly decreasing y/y 
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Announcing: CVE-2018-12238 


Multiple Symantec Products CVE-2018-12238 Local Security Bypass 
Vulnerability 


Bugtrag ID: 105917 

CVE: CVE=2018-12238 

Remote: No Local: Yes 
Published: Nov 28 2018 12:00AM 
Credit: Qualys Malware Research Lab e]. 371337 


QID 371338 


Vulnerable: 

Symantec Norton AntiVirus 22.7 
Symantec Norton AntiVirus 21.0 

Symantec Norton AntiVirus 17.6.0.32 
Symantec Endpoint Protection Cloud 12.1.6 
Symantec Endpoint Protection Cloud 14 
Symantec Endpoint Protection 12.1.6 MP4 
Symantec Endpoint Protection 12.1.6 

+ 95 other products 


@ Qualys. 


Malware Hides with Stolen Code-Signing 
Certificates 
welivesecurity сет 


Certificates stolen from 
Taiwanese tech-companies 


misused in Plead malware 
campaign 


D-Link and Changing Information Technologies code-signing certificates stolen and abused by highly 
skilled cyberespionage group focused on East Asia, particularly Taiwan 


https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/ 
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Vulnerability Management Lifecycle 


Asset Vulnerability 
Inventory _— Management 
Threat Risk and 
Patch Prioritization 
Management 
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Get Proactive - Reduce the Attack 


Surface 
Immediately Identify Vulnerabilities in Production 


Notify IT Asset Owner to Patch/Stop the Instance 
Control Network Access / Cloud Security Groups 


Change Configuration to Limit Access (Compliance) 
Add Detection and Response - Endpoint & Network 
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Proactively Hunt, Detect, and Respond 


Indication of Sg mm %, 
= © 25 I 
E WAN — Sensor 
a z 
Detect IOCs, IOAs, and ar 2 
verify Threat Intel ` ©, b $ What new devices are on the 
б i network? Are there new/ 


different traffic patterns? 
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Organizations Struggle to Answer Basic 
Questions 


Are these hashes on/running in my network? 
Are these mutexes / processes / registry keys? 


Did any endpoints connect to these IPs / Domains? 
Are there any connections to TOR exit nodes? 


What system 15 the first impacted? “Patient Zero” 
Did this soread to others systems? When? 
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Qualys IOC Use Cases - 
Visibility Beyond AV 


Threat Intel Verification 


Threat Intel Feeds / Mandated to Verify Find Suspicious Activity 
“Is this hash, registry, process, mutex on my 


network?” 


Hunting / 


Indicator of Activity hunting with pre-built 
and user-defined queries for Fileless attacks 


API 


Integration 


“Look Back” Investigation 
after a known breach 


find the first occurrence of a breach 


SIEM 


Detect Known/Unknown 
Malware Family Variants 


and Threat Feeds (OEM, customer) 
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Threat Intel Verification 


e Search for the file hash 


October 6, 2017 ne C 


NotPetya Ransomware spreading using ETERNALBLUE Vulnerability and Credential Stealing 


On June 27, 2017, NCCIC [13] was notified of Petya malware events occurring in multiple countries and @ Qualys. Enter; 
affecting multiple sectors. This variant of the Petya malware—referred to as NotPetya—encrypts files oo Я T антиш , А P 
wah eutemibns lum a hand coded Boi Indication of Compromise Qualys Demo (quays. ad) 
Additionally, if the malware gains administrator rights, it encrypts the master boot record (MBR), making Hunting 
the infected Windows computers unusable. NotPetya differs from previous Petya malware primarily in 


its propagation methods using the ETERNALBLUE vulnerability and credential stealing via a modified d926e76030f 19f1£7efüb3cdla4e80fo Last7Days Y 
version of Mimikatz. 


Technical Details 2 
Total Event- 
Anti-Virus Coverage 
VirusTotal reports 0/66 anti-virus vendors have signatures for the credential stealer as of the 
date of this report 
NO REMAINING FILTERS View related FIM Event: 


TIME v OBJECT ASSET 


Delivery - MD5: 71b6a493388e7d0b40c83ce903bc6b04 
Installation — MD5: 7e37ab34ecdcc3e77e24522ddfd4852d 
Credential Stealer (new) — MD5: d926e76030f19f1f7ef0b3cd1a4e80f9 


a day ago =) svvchost.exe WIN2008R2-11566 


swehi 


WIN7-320860-T44 
10.11,114.109 


Secondary Actions 


NotPetya leverages multiple propagation methods to spread within an infected network. 
According to malware analysis, NotPetya attempts the lateral movement techniques below: 


@ Threat Intelligence lists attack © Find the object there. 
information ... 
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Indication of Compromise 


Threat Intel Verification 
Huntino 
Alertino 
Create Emergency Patch Job from CVE Exploitation 


18fclb9b29a2d281ec9310f9f226ad77e3cb9c558f696c37390bbac72baa8ba8 
168.63.129.16 


IOC 2.O Release (Dec 2018) 


Responses - Alerting and Actions 
Send alerts via Email, Slack, PagerDuty for any Hunting (QQL) searches 


UI Updates 
Event Relationshio Tree / Trending Widgets / Event Group By Asset 


Threat Feed (find malware that legacy AV may have missed) 
Known Bad - 1B hashes 
CVE-to-Malware hashes (shared with Threat Protection) 


New Scoring Model 
Prioritization for Investigation and Response (confirmed vs. suspicious) 
Integration with Alerting / Actions 


IOC API 
Integrate with any 3'¢ party SIEM / TIP 


Splunk TA + Dashboards - Jan 2019 @ 
Qualys. 


New IOC CVE - File Reputation Threat Feed 


EN din 


Find Vulnerabilities Threat Feed of malware 
hashes used in real-world 
Verify that vulnerabilities ^ Real-Time Indicators for which vulnerability exploits 
have been remediated — vulnerabilities have known / POC 
"T " exploits — = 
Prioritize vulnerability Prioritize vulnerability remediation Prioritize vulnerability 
remediation on criticality on likelihood of attack remediation based on 


successful attacks in 
your network 


Perform scheduled and urgent 
remediation through Qualys Patch 
Management 
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Thank You 


Giorgio Gheri 
ggheri@qualys.com 


